Savvy Hackers Don't Need Malware

When the Democratic National Committee revealed in June that its systems had been compromised for more than a year, a forensic analysis indicated the suspect Russian hackers didn't use a lot of malware. Instead, the attackers often used legitimate tools and utilities to creep throughout the network - the so-called "low and slow" method.

It's a technique that long has caused worry since malware-less lateral movement doesn't usually set off alarm bells. Companies' defensive focus instead has long been on stopping malware so a compromise doesn't occur in the first place.

But if attackers get past that first hurdle, their actions from that point can be hard to detect. The problem is illustrated in a new report from cybersecurity vendor LightCyber.

Over the past six months, the company collected anonymized data from 60 of its customers, who are in verticals such as finance, healthcare, government and telecommunications. Unsurprisingly, many had been compromised by malware. And virtually all of the tools that were used to move through an organization's network weren't actually malware, says David Thompson, senior director of product management.

The Rise of UEBA

The finding explains why attackers are able to stay in systems for months or even years. In February, FireEye's Mandiant forensics unit said the median number of days between when a company was breached and the attack was discovered was 146 days in 2015. It's an improvement over 2014, when the figure was 205 days, but still an awfully long time.

One idea to close that gap is to quickly spot attackers that at a quick glance may appear legitimate. LightCyber is just one of many security companies that are working on techniques to do this, an area that analyst Gartner refers to as user and entity behavior analytics, or UEBA. By next year, Gartner predicts at least 20 percent of the major security vendors that do some form of user monitoring will incorporate advanced analytics and UEBA into their products.

Attackers often behave much differently than regular users. Once on a network, some hackers noisily stumble around, trying to figure out how a network is constructed and where the sensitive assets may be. Indicators that someone is lurking can include excessive port scans, excessive failed logins and failed attempts to access other devices or ports, according to LightCyber's report.

The tools used by attackers to move around are often already installed. In the Democratic National Committee incident, Crowdstrike found the suspected Russian attackers employed Microsoft's powerful scripting tool, PowerShell. It's installed on virtually all Windows computers. Also used was Windows Management Instrumentation, which is a framework for managing computers across a network (see After Russia Hacks DNC: Surprising Candor).

Thompson said the TeamViewer remote access tool is also a favored method. Sometimes, it has already been installed by employees without permission. TeamViewer has many security features in place that are designed to trigger alerts of logins attempts and suspicious ones, but the company saw a raft of mostly consumers accounts taken over in June (see TeamViewer Bolsters Security After Account Takeovers).

"You want to understand what is being used for remote access and have something in place to monitor that," Thomas says.

All of the tools, of course, are dual-purpose: Security pros use them for their own penetration tests. But when what appear to be regular users suddenly start using these tools - or installing them - it could mean an attacker is on the move.

"In our study, Ping was associated with users generating excessive numbers of failed connections - trying to access resources that did not exist or were not responsive - a clear anomaly indicative of network reconnaissance," LightCyber's report reads.

BeyondExec Remote Service was a surprise finding. Anti-virus vendors classify it as a "potentially unwanted application," which is the industry's nice way of avoiding accusations of slander for tagging an application as malware or spyware. Several of the 60 organizations studied had it installed.

"In one particular network, this application was running on more than 40 hosts, much to the IT team's surprise," the report says.

About the Author

Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.in, you agree to our use of cookies.